Insights

EU Cybersecurity Directive Welcomed in the “Wild West”?

Posted on 17th December 2015 at 10:10 am

On 7 December 2015 the European Parliament announced it had reached an informal agreement with the European Council on common rules to strengthen network and information security (NIS), the NIS Directive.

The absence of EU control and regulation in this area was summed up by the executive director of the EU’s Agency for NIS, comparing the internet to a virtual “Wild West”. The new NIS directive will set out cybersecurity obligations for “operators of essential services” and “digital service providers”.

What is the background to the NIS Directive?

Cybersecurity has been on the Commission’s agenda since a 2001 NIS Communication (COM(2001)298). In 2013 a Commission Communication (JOIN(2013)) submitted that for cyberspace to remain open and free the same fundamental rights, democracy and the rule of law which are protected offline should also be protected online. The European Parliament has been pushing hard for EU-wide cybersecurity rules to end the current fragmentation of twenty-eight cybersecurity systems and December 2015 concluded the informal agreement.

What is the need for the NIS Directive?

The NIS Directive seeks a coordinated approach to cybersecurity across Europe but why is this necessary? Cyber-attacks have been major news in 2015 think Talk Talk, Ashley Madison, and Carphone Warehouse to name but a few. The number and severity of attacks continues to grow, whereas previously monetary gain was not a hacker’s priority, there is now concerning trend toward hacking for profit.

However, the majority of security breaches do not stem from a malicious attack but from human error for example, losing hardware or downloading corrupted files. As the number of people working with data continues to increase so does the threat to cybersecurity. The NIS Directive recognises this and the possibility of a cross-border attack or breach in the EU which would require a coordinated response from Member States.

What obligations does the NIS Directive impose?

Member States will be required to designate one or more national authorities to deal with cyber matters. To achieve coordination Member States will be required to cooperate with each other exchanging best practices. In respect of operational coordination, a network of national computer security incident response teams (CSIRTs) will be set up.

What are “Operators of Essential Services”?

The Directive identifies sectors in which Operators of Essential Services are active including energy, transport, and finance. It will be for Member States to decide which companies operating in their jurisdiction are Operators of Essential Services using the criteria set out in The Directive:

Is the service critical for society and the economy;

Does the service depend on network and information systems; and

Could an incident have significant disruptive effects on service provision or public safety?

What are “Digital Service Providers”?

The European Parliament defined Digital Service Providers as:

Online marketplaces (e.g. Amazon);

Search engines (e.g. Google); and

Cloud service providers.

What will be the effects on my business?

If your business falls within the definition of Operator of Essential Services or a Digital Service Provider there is an obligation to report cybersecurity breaches under the NIS Directive. Service providers in the UK are currently obligated to report “personal data breaches” to the Information Commissioner’s Office (ICO). The NIS Directive requires “major security incidents” to be reported. Hopefully this overlap will be clarified once the text of the Directive is published.

Operators of Essential Services will have to ensure that the systems they use to deliver essential services are “robust enough to withstand cyber-attacks”. There is a lesser requirement on Digital Service Providers to ensure that their infrastructure is secure. We await further clarification on specific requirements.

When will the NIS directive take effect?

A leaked memo revealed that the Presidency hopes to tie matters up before the holiday period, setting 18 December 2015 as the date for the agreed text. Thereafter, Member States will have twenty-one months to adopt the necessary national provisions and then a further six months to identify Operators of Essential Services.

Timeframe aside, it is in the interests of your business to act now when it comes to cybersecurity. If you haven’t done so already, assess your current cybersecurity measures and keep an eye out for further guidance from the Commission to consider whether or not your service’s current cybersecurity regime provides adequate data protection. The Scottish Government’s Cyber-Essentials Guide is a good place to start.

MacRoberts advises on all aspect of Data Protection Law including EU Regulation and cybersecurity. For further information, please contact Valerie Surgenor or David Flint.

Author

David specialises in all aspects of non-contentious intellectual property, with particular emphasis on computer-related contracts and issues. He is recognised as a leading expert in intellectual property law, computer/IT law and European law and advises on data protection matters and all types of commercial contract, particularly those with an international element or requiring cross-disciplinary expertise. As a litigator, David has experience in domestic, American and European courts. He has also specialised in corporate insolvency for over 35 years and is author of MacRoberts’ Scottish Liquidation Handbook and other texts on insolvency.

David is a Director of Renfrewshire Chamber of Commerce and Chair of an American Bar Association Committee on Intellectual Property law. He lectures extensively in the UK, the US and internationally in relation to his specialities and is author of the Stair Encyclopaedia section on European competition law, as well as multiple books and articles on intellectual property and cyber law.

David is listed in Who’s Who Legal 2018 as an expert in Data Privacy & Protection and is listed in IP Stars’ 2018 rankings.

Contact us

Sections

Tools

Stay in touch with MacRoberts

Legal changes can have a dramatic impact on you and your business. To ensure you are kept abreast of the latest developments and have the knowledge to make timely, effective decisions, please sign up for our free updates.

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.